[Snort-users] Alerts not Detected during Import?

Dusty Hall halljer at ...8709...
Thu Jun 26 09:00:03 EDT 2003


We are experiencing a problem with Snort not reporting Alerts that we
have in our rules files.  Here's some background:

We copy our Snort tcpdump logs from our sniffer to our MySQL/ACID
system and then import the tcpdump logs into ACID/MySQL.  From the looks
of our alert files the Specific alerts were detected by our sniffer but
not by Snort on our DB box.  So what I'm trying to ask is, does the
tcpdump log files from our sniffer box have all detected alerts in
tcpdump format that were sniffed on the wire?  Is there enough
information from the tcpdump files from our sniffer to process again and
pull out the same alerts?  Here's the steps we use: (Yes we have
identicial rules on both systems and both have the same version of
Snort.)

Sniffer: 
  
  snort.conf output snip -> "output log_tcpdump: snort-log"

  /usr/local/bin/snort -c /usr/local/snort/etc/snort.conf -D -b -o -i
eth1 -A fast

-------

DB Import:

  snort.conf output snip -> "output database: alert, mysql, user=snort
password=xxxxxxx dbname=snort host=localhost"

  /usr/local/bin/snort -N -dve -c /usr/local/snort/etc/snort.conf -l
/usr/local/snort/logs -dr
/usr/local/snort_logs/tcplogs/snort-logifle.log


Note: After I run the import and look at the newly created "alert"
file, it is much smaller than the "alert" file from our sniffer.  

Any help would be greatly appreciated.  I'm open to new ways of doing
this!

Thanks,


-Dusty






More information about the Snort-users mailing list